The Myth of the Trustless Dapp

What do we mean when we say an app is “trustless”

Preethi Kasireddy has covered this ground before. We should first learn from her wisdom before we set out again:

I’ve come to realize that the term “trustless” is ambiguous, confusing, and most importantly, inaccurate. (Blockchains) distribute trust (by using economics to) incentivize actors to cooperate with the rules defined by the protocol.

This post will demonstrate that decentralized apps also use incentives and rules to produce cooperation such that everyone is benefited. Trusting the rules doesn’t mean we blindly trust the individual actors.

The next time someone asks me, “Is your app trustless?”

I will likely be tempted to ask them, “can you please be more specific?” Unfortunately I’m not presented with this question but more commonly the accusation, “why isn’t your app trustless?” To which I’m tempted to respond, “why isn’t your question accurate?” I’m not trying to be rude but you don’t walk into a factory and tell the owner, “gee this is a really nice factory you have here, why isn’t it workerless?”

Myths such as the workerless factory, the paperless office or the cashless society have been with us for more than a decade and we’ve yet to see them manifest themselves in any absolute way at scale. We have factories with greater automation, offices with greener policies and societies that rely more on digital transactions. We do not yet have absolute demonstrations of the ideal. This is because implementation exists to varying degrees and rarely in absolute terms. A term is poorly defined if it means different things to different people and trustless is one of these words. A perfectly trustless app does not exist. Every decentralized app is on a spectrum of trust where complete trustlessness for all threat models is an ideal. No one has yet achieved it, anyone who would tell you otherwise is lying to you.

I’ve had a few contacts since my prior blog post make this type of suggestion. At first my reaction was that some non-technical people may not understand this concept. But someone who I believed was technical asked me the following question,

Colleague, “Do you have any intention on creating a trustless version of the app?”

To which I responded, “Where a sci-fi AI approves policyholders and awards claims or something like that? Your kidding right?”

He clarified by saying, “No. What I meant was, have you ever considered removing your reliance on the secretary?”

I took a deep breath and I considered that there are a few potential reasons why he asked me that question:

1. I didn’t do a good job of explaining TandaPay’s checks and balances in the blog post.
2. He didn’t bother to read what I wrote very carefully.
3. This concept is too new for someone to create an accurate mental model of how it operates after a single read through.
4. When people try to oversimplify something the nuance is lost.

After our conversation I realized that this same dialogue had come up several times with other individuals. “Trustless” has apparently become a common buzzword. As soon as someone sees some feature they think is “centralized” they may be quick to assume that trust is required by the participants. This would be similar to a foreigner making the assumption that, because the President’s signature is required in the US for any bill to become a law, the President is the de facto dictator of America. Many American’s would balk at such a erroneous oversimplification. Yet, these are the same people who have been quick to come to the conclusion that if any app utilizes a central coordinator it must not be “trustless.”

Oversimplification = Bad

Incentive architecture can be complex. If we are serious about making an honest attempt at understanding the role a central coordinator might play, we should take into consideration some guiding principles. The goal of this blog post is to help my reader realize:

1. Asking if an app is trustless is like asking for the marriage status of the color blue. It makes absolutely no sense without some specific context.
2. The right context is, “who is holding my money?” Relying on humans to hold other peoples money is bad. Good architecture should remove this unnecessary liability.
3. Use of a central coordinator does not necessarily require that parties trust anyone. If the coordinator is never in custody of participants’ funds see #2.

This post will not mention the secretary or the role of the secretary. I’ve written over 10,000 words on this and repeating myself isn’t going to help anyone. Instead I’m going to approach the problem from a completely different direction.

Forget that there is a central coordinator called the secretary, instead “follow the money.” Do you see a third party custodian of other people’s money in the architecture? If so, there might be good reason to believe that participants are required to trust this custodian. If you don’t see one then policyholders should be in direct custody of their funds. Whose authorization is required to transfer a policyholder’s premium to the claimants? Is it the secretary’s or the individual policyholders’? If authorization of payments allows for direct transfer of funds, then this makes a strong case that the system has no third party custodians.

If you’ve never tried to imagine how a payment system might work without relying on banks then this might be completely new. In which case I will try and keep my explanation simple even thou the illustrations are complex. Don’t try to understand the illustrations if they don’t immediately seem familiar to you. Rather, I hope you can “trust” that my explanation of the illustrations are an accurate simplification that doesn’t misrepresent how these systems actually work. If you can trust my explanation then I think we can both reach the same conclusion together.

What really requires trust: the banking network

Part 1 — Understanding the chain of custody for fiat

The only takeaway from the above picture is that contractual agreements allow third parties to hold our funds. Besides an insurance policy which is a contract that sets out specific guarantees in return for the payment of a premium, there are contracts that allow money to move:

1. From you to your bank
2. From your bank to any other bank

Other than the cash we may have in our wallet, we almost never hold funds directly. People in modern societies have decided to entrust nearly all of their wealth with third parties. What allows us to entrust our funds with third parties is a guarantee that we will get these funds back. This guarantee is known as a contract. This contract is enforced by our legal system. The rulings of our courts are enforced by the DOJ and various local police departments entrusted with the practical enforcement of the law.

In sum total we refer to this system as the rule of law. In countries where the rule of law is weak you cannot easily trust third party custodians. This is because without a system to enforce contractual agreements there is no guarantee that your property will be returned to you. Corrupt courts or law enforcement weaken the rule of law and the ability for individuals to reliably own property.

Funny story, man walks into a bank with a junk check and attempts to cash it. Bank gives man $95,093.35 💲cha-ching💲. Man then converts this to a cashiers check before the bank realizes their mistake. This was an error on the part of the bank, but it caused many to wonder if the money was actually his.

It’s stories like these that make you wonder how easy it is to commit actual check fraud just by having someone else’s valid account and routing numbers on the bottom of a false check. The reality is that 15 years ago the knowledge of anyone's account and routing number was all you needed in many cases to commit real check fraud. See this article on the famous Leonardo DiCaprio movie Catch Me if You Can. Since there was (almost) no technology protecting people from fraud this created the need for banks to carry insurance against fraudulent payments. More contracts in other words. Banks also needed to be tightly integrated into the legal system to pursue lawful enforcement of these contracts and to track down and capture offenders.

Banking networks which have enabled every form of non-cash payment until 2010 depend entirely on human institutions. These human institutions enforce contracts and these contracts provide guarantees. But this type of payment system is incredibly expensive to protect because historically it has been so vulnerable to fraud. Regulations are put in place for all financial operators who use the banking network regardless of who they are. Regulatory compliance is also very expensive. If we can simply avoid using traditional payment networks then we can circumvent billions of dollars of regulatory overhead.

The next section highlights how the power of an unforgeable signature can eliminate fraud from our cryptocurrency payment networks. Instead of relying on man-made contracts enforced by human institutions, technology gives us a better option. We can opt for digital contracts enforced by cryptography. This technological route offers the following benefits:

• Cheaper to enforce
• Safer for participants
• Faster resolution of problems

Part 2— Understanding the chain of custody for digital property

As I said previously:

Individual lock box architecture allows for custody to remain in the possession of the policyholder.

These next two graphics are a bit complicated (chain of custody for digital property). The point is not to understand the graphics. The point is to use the graphics to see the big picture. The big picture you should take away from all four graphics is:

• With the banking network we have man-made contracts enforced by human institutions.
• With the blockchain network we have digital contracts using digital signatures (pen in phone icon) and global records enforced by technology.

If that is all you want to understand you can just skip over the these two complicated graphics right now. Also I highly recommend you read Preethi Kasireddy’s article as her graphics are simpler and more concise in their explanation of blockchain. The complicated part is trying to understand two aspects of how custody for digital property works:

• Understanding the implications of blockchain payment technology. What relevant meaning does the technology have for how we transact?
• Understanding the mechanism of blockchain payment technology. How does the technology actually work?

To understand the implications of blockchain technology for how TandaPay functions we need to ask these questions:

1. What is a digital signature?
2. Why is a digital signature important?
3. How does it remove the need for human institutions to enforce man-made contracts?

To understand the mechanism of how blockchain technology enables the payments that TandaPay uses we should ask these questions:

1. Where does the ability to produce a digital signature come from?
2. Where are the private keys stored? Can they be stolen?
3. How do I know I can trust the blockchain to record my transactions?

Once you have an answer to these six questions you will be able to determine for yourself if policyholders have direct custody of their funds. If you carefully study these two graphics and the graphic in my last blog post: TandaPay Escrow Layer, then you can conclude for yourself that there is no third party custodians.

Policyholders are in direct control of their funds until they authorize payment to an approved claimant. That’s all we ever cared to discover by looking at these infographics and if you can see that then my job is done!

This post is already quite long. Cryptographic signature systems and blockchain technologies are far too complex to be embodied in a single authoritative post. Just by googling you can find more expert and well written articles than this one. I will come back to update this post with additional information if I feel it is relevant. For now, simply knowing the right questions to ask is half of the struggle when it comes to understanding the technology.

One final thing I will point out is that the first image “chain of custody for digital property” shows a private key inside of a phone and then the image above elaborates on how digital signatures work highlighting the role that private keys play. Private keys within public-key cryptographic systems are the means by which we eliminate third party custodians. They allow each individual to:

1. Hold the authority to spend funds on the blockchain directly.
2. Interact with smart contracts directly, allowing funds to be escrowed by smart contracts without giving up any authority over those funds.

If you can see this and understand the importance of this fact then your life will never be the same again! You will quit your job and go work on your (̶d̶u̶m̶b̶)̶ visionary blockchain startup with great ideals and bold plans for (̶w̶o̶r̶l̶d̶ ̶d̶o̶m̶i̶n̶a̶t̶i̶o̶n̶)̶ making the world a better place. Yay (or maybe not who knows really).

Whew! You made it through the hard part of reading this post! Thank you. The rest of this post should be easy.

If I have but one job

There are different ways we trust the apps we use. There are also many ways the apps we use can violate that trust. As a financial engineer I’m focused on only one aspect of trust. My job is to eliminate third party custodians of funds from TandaPay’s architecture. I do not know if this functionality makes TandaPay “trustless” because the label of trustless isn’t specific enough to tell me anything about how an app functions. If allowing users to have direct control over their funds is what qualifies an app as being “trustless” then,

I believe that TandaPay’s financial architecture is the most trustless app architecture ever created for P2P insurance.

Apart from my belief, theoretically I’m sure that its possible to build architecture that has more features or complexity. There are many operating in the P2P insurance space and I welcome other developers to demonstrate how their architecture is better. By better I mean something that does more without compromising on the spirit of the decentralization movement. What can be more decentralized than removing third party custodians from our architecture? I hope this is the standard by which all apps in the space are evaluated rather than features which seem to offer greater “trustlessness.”

Trust should be based on the social contract

Returning back to Preethi Kasireddy’s post:

A more accurate way to describe blockchains is not as “trustless,” but as built on the basis of distributed trust: We are trusting everyone in aggregate.

this assumes that we trust that a majority of the power held in the system belongs to stakeholders who share similar values. Unfortunately, I don’t think we can claim — at least, not yet — to have figured out exactly what those shared values consist of.

To end this post I’d like to make the claim that:

1. We do know what those values are.
2. Incentive architecture can coordinate users to reach those shared values.

TandaPay does something unique. It takes specific values and makes them a focal point around which everyone's actions are coordinated. If you’ve never heard of a focal point before it can be described as, “the default option that people choose because they expect others will choose it.”

Julia Galef does an excellent job of explaining how this works by giving a great example from Good Will Hunting. Watching the video is well worth your time if you really want to understand the concept:

Vitalik Buterin then applies the concept of creating a set of explicit norms at the formation of a community when asked what advice he would give Satoshi.

Unchained Live: Laura Shin in conversation with Vitalik Buterin

Laura Shin: What advice would you give Satoshi?

Vitalik Buterin: Set explicit norms in writing. For example set an explicit direction in writing. One of the things that we did for Ethereum early on is we said, “we want to do proof of stake and sharding.” We’ve said that even all the way since 2014 and 2015 and that helped because it creates this community agreement. (This agreement is) that Ethereum is a chain that technically evolves (over time) and proposals that change (Ethereum) in the spirit of those ideas should be adopted. I think that the social contract of possible technical improvements is something that has served us very well. It probably prevented a lot of arguments that could have led to stagnation.

If those ideas had not been (clearly communicated) there could have been a much larger contingent who could have (argued against proof of stake and sharding. They could have insisted that the Ethereum community) keep the chain exactly as it is or go in some totally different direction.

So I think trying to set a more explicit path for future improvements is definitely something that (Satoshi) could have done to significantly improve the outcome.

The right values coordinate people for everyone’s benefit — trust the values first, then the people

Based on the above two examples we have learned that:

1. A good focal point is one that embodies a well defined set of norms that everyone can understand. It implies that most people also expect others to both understand and adopt these guidelines as their own.
2. By clearly defining the norms of a community in writing at its inception we can better establish a set of shared values and reach those values together.

This is exactly what TandaPay does. Its called a charter which is the social contract of a community. This social contract is the focal point for the group. My next post will go into detail how a charter both coordinates and incentivizes the actions of the participants. Charters serve to put a groups values into words and this is how they go beyond the creation of financial incentives to focus on rewards and penalties that are non-monetary.

By combining monetary and non-monetary incentives we can establish a framework of trust that allows for communities to be built with the help of decentralized applications. Participants trust “the rules defined by the protocol” first, then based on these rules they can trust other members of their community. Within the context of shared values defined by the charter and incentives created by the architecture, communities can be built on mutual trust. This trust however doesn’t require that the participants compromise on the ideals of decentralization when it comes to considering how the protocol should hold funds.

So is TandaPay trustless?

This is why we never categorize an entire app as “trustless.” Our concept needs to be changed. We don’t build architecture that eliminates trust or our dependence on trust, instead we build architecture that establishes trust between members of a community. We are required to make an important distinction between the financial aspects and the social aspects of app architecture. The financial architecture which manages money, is decentralized and requires the removal of third party custodians. The social architecture which coordinates people, has a central moderator who serves as a trusted partner to facilitate relationships between people in their group. We want to see communities established where trust is based off of the social contract which guarantees participants share the same values. Once the blockchain removes the legal liabilities associated with managing funds, communities will have a greater capacity to self-organize and award claims which represent those values.

If you want to become convinced as to the usefulness of incentive architecture and social contracts then follow this series for more posts. We will discover how the TandaPay protocol incorporates trust into decentralized applications for the purpose of community building. The next post will describe how TandaPay uses charters as focal points to approve insurance claims.